Cyber-Incident Reporting Legislation Clears House in Bipartisan Spending Bill

Legislation requiring private companies to report cybersecurity incidents to the Cybersecurity and Infrastrcucture Security Agency could hitch a ride to the president’s desk in an omnibus spending bill set for consideration in the Senate Thursday following House passage. 

“Requiring owners and operators to report significant cyber incidents and ransomware attacks to CISA will mean greater visibility for the federal government, earlier disruption of malicious cyber campaigns, and better information and threat intelligence going back out to the private sector, so they can defend against future attacks,” the bipartisan leaders from the House Homeland Security Committee said in a press release Thursday after House votes the night before. “The authorities and resources provided in this bill can’t come soon enough, as CISA works to combat rapidly evolving cyber threats in this shifting geopolitical landscape.” 

The reporting provisions require critical infrastructure entities to share details associated with a “reasonable belief” a cybersecurity incident has occured to CISA within 72 hours of such an assessment. After meeting a size threshold, companies would also have to tell CISA of any ransomware payments they make within 24 hours of doing so. 

The Senate passed identical provisions by unanimous consent March 1, with Russian aggression in Ukraine providing a sense of urgency. The upper chamber is on Thursday expected to start consideration of the bill to fund the federal government which is already about five months late. The government has meanwhile been operating in a jerky pattern of stop-gap measures. 

“The legislation will reduce costs for American families and business, support our historic economic recovery, advance equity and further restore U.S. leadership abroad,” the White House said, releasing a fact sheet on the appropriations Thursday. “The bipartisan funding bill would also end a damaging series of short-term continuing resolutions that for months have undermined the government’s ability to meet pressing challenges. The Senate should send the bipartisan funding bill to the President’s desk for signature without delay.” 

The conflict in Ukraine is also causing federal agencies to push ahead with their own initiatives to gather information from cybersecurity incidents affecting US critical infrastructure entities under their control. 

The Securities and Exchange Commission, for example, on Tuesday proposed rules requiring publicly traded companies to amend their 8-K filings “to disclose information about a cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident.” 

Assuming the incident reporting legislation becomes law, debates about important details would then move to CISA, where a rulemaking process could drag on for more than three years before its provisions are enforceable. CISA is not necessarily expected to use all that time, but industry is already starting to push back on some aspects of the bill.

“We believe the 72 hours should run, not from an entity’s reasonable belief, but from knowledge that a covered incident occurred,” Henry Young, policy director for BSA | The Software Alliance, said in an email reacting to the Senate’s passage of the incident reporting legislation. “Prior to knowing, a company is still investigating, and its focus should be on determining whether there is anything to respond to and report. If the bill becomes a law, BSA looks forward to working with DHS to do the important and challenging work of defining ‘covered entity’ and ‘covered cyber incident.’”